[EXP] OIDC via direct provider config

.github/workflows/run-acceptance-tests.yml

@@ -502,13 +502,13 @@ jobs:
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         version: v2.4.0
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-region: ${{ env.AWS_REGION }}
-        role-duration-seconds: 3600
-        role-session-name: ${{ env.PROVIDER }}@githubActions
-        role-to-assume: arn:aws:iam::894850187425:role/github-oidc
+    # - name: Configure AWS Credentials
+    #   uses: aws-actions/configure-aws-credentials@v4
+    #   with:
+    #     aws-region: ${{ env.AWS_REGION }}
+    #     role-duration-seconds: 3600
+    #     role-session-name: ${{ env.PROVIDER }}@githubActions
+    #     role-to-assume: arn:aws:iam::894850187425:role/github-oidc
     - name: Make upstream
       run: make upstream
     - name: Run tests

examples/bucket/index.ts

@@ -17,10 +17,20 @@ import * as pulumi from "@pulumi/pulumi";
 // https://github.com/pulumi/pulumi-aws/issues/772
 import { Bucket } from "@pulumi/aws/s3";
 import * as aws from "@pulumi/aws";
+import * as gh from "@actions/core";
 import * as s3 from "@aws-sdk/client-s3";
 
 const config = new pulumi.Config("aws");
-const providerOpts = { provider: new aws.Provider("prov", { region: <aws.Region>config.require("envRegion") }) };
+const providerOpts = {
+    provider: new aws.Provider("prov", {
+        region: <aws.Region>config.require("envRegion"),
+        assumeRoleWithWebIdentity: {
+            roleArn: process.env["OIDC_ROLE_ARN"],
+            webIdentityToken: gh.getIDToken("sts.amazonaws.com"),
+            sessionName: "pulumi-bucket",
+        },
+    })
+};
 
 const bucket = new Bucket("testbucket", {
     serverSideEncryptionConfiguration: {